#####################################################################################
#
# safe_browsing_api.pl
#   Looks up URLs via Google's Safe Browsing API 
#   
# References:
#   https://developers.google.com/safe-browsing/
#
# Plugin Author: Ryan Benson (ryan@obsidianforensics.com)
#
#####################################################################################

package safe_browsing_api;
use strict;
use HTTP::Request::Common qw(GET);
use LWP::UserAgent;
use URI::Escape;

my %config = (friendlyName   => "Safe Browsing API Lookup",
              description    => "Looks up URLs via Google's Safe Browsing API",
              artifactType   => "url",
              remoteLookups  => 1,
              browser        => "any",
              browserVersion => 0,
              version        => 20120615);

sub getConfig       { return %config; }
sub getFriendlyName { return $config{friendlyName}; }
sub getDescription  { return $config{description};; }
sub getArtifactType { return $config{artifactType}; }
sub getRemoteLookups{ return $config{remoteLookups}; }
sub getVersion      { return $config{version}; }

sub pluginmain{

# Uncomment next line and enter your Safe Browsing API key here
# my $safe_browsing_api_key = "enter key here";

    if ($safe_browsing_api_key){

        my $select_h = $::datastore->prepare(" SELECT DISTINCT url_root FROM urls ");
        my $update_h = $::datastore->prepare(" UPDATE urls SET safe_browsing=? WHERE url_root=? ");
        $select_h->execute();

        my $ua = LWP::UserAgent->new;
        my $counter = 0;
         while (my @row = $select_h->fetchrow) {
            my $safe_browsing_get = GET 'https://sb-ssl.google.com/safebrowsing/api/lookup?client=hindsight&apikey=' . $safe_browsing_api_key . "&appver=" . $::version . "&pver=3.0&url=" . uri_escape($row[0]), [];
            my $res = $ua->request($safe_browsing_get);
            my $sb_lookup = "[not looked up]";
            if ($res->status_line=~/200/)    { $sb_lookup = $res->content };
            if ($res->status_line=~/204/)    { $sb_lookup = "clean" };
            if ($res->status_line=~/400/)    { $sb_lookup = "bad request" };
            if ($res->status_line=~/401/)    { $sb_lookup = "not authorized" };    
            if ($res->status_line=~/403/)    { $sb_lookup = "not authorized" };  
            if ($res->status_line=~/503/)    { $sb_lookup = "service unavailable" };

            $update_h->execute( $sb_lookup, $row[0] );
            $counter++;
        }
        ::printStatus("$counter unique URLs looked up");
    } else { ::printStatus('no API key'); }
}

1;